Specifying an alternate encryption provider

Return-Path: X-Original-To: apmail-db-derby-commits-archive@www.apache.org Delivered-To: apmail-db-derby-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BF3BCDE00 for ; Mon, 8 Oct 2012 17:03:44 +0000 (UTC) Received: (qmail 72407 invoked by uid 500); 8 Oct 2012 17:03:44 -0000 Delivered-To: apmail-db-derby-commits-archive@db.apache.org Received: (qmail 72384 invoked by uid 500); 8 Oct 2012 17:03:44 -0000 Mailing-List: contact derby-commits-help@db.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: "Derby Development" List-Id: Delivered-To: mailing list derby-commits@db.apache.org Received: (qmail 72377 invoked by uid 99); 8 Oct 2012 17:03:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Oct 2012 17:03:44 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Oct 2012 17:03:38 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id D1DA623889B8; Mon, 8 Oct 2012 17:02:53 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1395663 - /db/derby/docs/branches/10.6/src/devguide/ Date: Mon, 08 Oct 2012 17:02:53 -0000 To: derby-commits@db.apache.org From: chaase3@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20121008170253.D1DA623889B8@eris.apache.org> Author: chaase3 Date: Mon Oct 8 17:02:52 2012 New Revision: 1395663 URL: http://svn.apache.org/viewvc?rev=1395663&view=rev Log: DERBY-1721 DOCS - Remove duplicate information in Dev Guide re: Encryption Merged DERBY-1721-2.diff to 10.6 docs branch from trunk revision 1395617. Removed: db/derby/docs/branches/10.6/src/devguide/tdevdvlp14496.dita db/derby/docs/branches/10.6/src/devguide/tdevdvlp40140.dita db/derby/docs/branches/10.6/src/devguide/tdevdvlpcreateencryptdbextkey.dita Modified: db/derby/docs/branches/10.6/src/devguide/cdevcsecure24366.dita db/derby/docs/branches/10.6/src/devguide/cdevcsecure31493.dita db/derby/docs/branches/10.6/src/devguide/cdevcsecure60146.dita db/derby/docs/branches/10.6/src/devguide/cdevcsecure67151.dita db/derby/docs/branches/10.6/src/devguide/cdevcsecure866716.dita db/derby/docs/branches/10.6/src/devguide/cdevcsecure88690.dita db/derby/docs/branches/10.6/src/devguide/cdevcsecure96815.dita db/derby/docs/branches/10.6/src/devguide/cdevdvlp51654.dita db/derby/docs/branches/10.6/src/devguide/derbydev.ditamap db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewbootpw.dita db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewextkey.dita db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewkeyoverview.dita db/derby/docs/branches/10.6/src/devguide/tdevcsecureunencrypteddb.dita Modified: db/derby/docs/branches/10.6/src/devguide/cdevcsecure24366.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/cdevcsecure24366.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/cdevcsecure24366.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/cdevcsecure24366.dita Mon Oct 8 17:02:52 2012 @@ -37,7 +37,8 @@ are platform-independent files that are number of ways, including transport over the Internet. Recipients of the data might not know how, or might not have the means, to properly protect the data.

This data encryption feature provides the ability to store user data in -an encrypted form. The user who boots the database must provide a boot password.

+an encrypted form. The user who boots the database must provide a boot password +or encryption key.

Jar files stored in the database are not encrypted. Modified: db/derby/docs/branches/10.6/src/devguide/cdevcsecure31493.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/cdevcsecure31493.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/cdevcsecure31493.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/cdevcsecure31493.dita Mon Oct 8 17:02:52 2012 @@ -21,7 +21,7 @@ limitations under the License. Specifying an alternate encryption provider You can specify an alternate provider when you create the database -with the encryptionProvider=providerName attribute. +with the encryptionProvider=providerName attribute. Encryption providersconfiguring @@ -29,20 +29,18 @@ with the encryptionProvider=p
You must specify the full package and class name of the provider, and you must also add the libraries to the application's classpath.
- --- using the the provider library jce_jdk13-10b4.zip| +-- using the the provider library bcprov-jdk15on-147.jar -- available from www.bouncycastle.org jdbc:derby:encryptedDB3;create=true;dataEncryption=true; bootPassword=clo760uds2caPe; encryptionProvider=org.bouncycastle.jce.provider.BouncyCastleProvider; encryptionAlgorithm=DES/CBC/NoPadding --- using a provider --- available from --- http://jcewww.iaik.tu-graz.ac.at/download.html +-- using a provider available from +-- http://jce.iaik.tugraz.at/sic/Download jdbc:derby:encryptedDB3;create=true;dataEncryption=true; bootPassword=clo760uds2caPe; -encryptionProvider=iaik.security.provider.IAIK;encryptionAlgorithm= -DES/CBC/NoPadding +encryptionProvider=iaik.security.provider.IAIK; +encryptionAlgorithm=DES/CBC/NoPadding Modified: db/derby/docs/branches/10.6/src/devguide/cdevcsecure60146.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/cdevcsecure60146.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/cdevcsecure60146.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/cdevcsecure60146.dita Mon Oct 8 17:02:52 2012 @@ -19,10 +19,10 @@ limitations under the License. --> Booting an encrypted database -If you create an encrypted database using the bootPassword attribute, -you must specify the boot password to reboot the database. If you create an -encrypted database using the encryptionKey attribute, you must specify -the encryptionKey to reboot the database. +If you create an encrypted database using the bootPassword=key +attribute, you must specify the boot password to reboot the database. If you +create an encrypted database using the encryptionKey=key attribute, you +must specify the encryption key to reboot the database. encrypted databasesbooting @@ -30,20 +30,21 @@ the encryptionKey to reboot the d
Encrypted databases cannot be booted automatically along with all other system databases on system startup (see "derby.system.bootAll" in the -). Instead, you boot encrypted -databases when you first connect to the database.
+). Instead, you boot an encrypted +database when you first connect to the database.

-
Booting a database with the bootPassword attribute
+
Booting a database with the bootPassword=key attribute

To access an encrypted database called wombat that was created with the boot password clo760uds2caPe, use the following connection URL:jdbc:derby:wombat;bootPassword=clo760uds2caPe
-
Booting a database with the encryptionKey attribute
+
Booting a database with the encryptionKey=key attribute

To access an encrypted database called flintstone that -was created with the encryptionKey=c566bab9ee8b62a5ddb4d9229224c678 and -with the encryptionAlgorithm=AES/CBC/NoPadding, use the following -connection URL: jdbc:derby:flintstone;encryptionAlgorithm=AES/CBC/NoPadding; -encryptionKey=c566bab9ee8b62a5ddb4d9229224c678
+was created with the attributes +encryptionKey=c566bab9ee8b62a5ddb4d9229224c678 and +encryptionAlgorithm=AES/CBC/NoPadding, use the following +connection URL: +jdbc:derby:flintstone;encryptionKey=c566bab9ee8b62a5ddb4d9229224c678

After the database is booted, all connections can access the database without the boot password. Only a connection that boots the database requires the Modified: db/derby/docs/branches/10.6/src/devguide/cdevcsecure67151.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/cdevcsecure67151.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/cdevcsecure67151.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/cdevcsecure67151.dita Mon Oct 8 17:02:52 2012 @@ -59,8 +59,8 @@ the encryptionAlgorithm=algorithm is not supported by the provider you have specified, throws an exception.

To specify the AES encryption algorithm with a key length other than the -default of 128, specify the encryptionKeyLength attribute. For example, -you might specify the following connection attributes:
+default of 128, specify the encryptionKeyLength=length attribute. For +example, you might specify the following connection attributes:
jdbc:derby:encdbcbc_192;create=true;dataEncryption=true; encryptionKeyLength=192;encryptionAlgorithm=AES/CBC/NoPadding; Modified: db/derby/docs/branches/10.6/src/devguide/cdevcsecure866716.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/cdevcsecure866716.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/cdevcsecure866716.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/cdevcsecure866716.dita Mon Oct 8 17:02:52 2012 @@ -19,9 +19,10 @@ See the License for the specific languag limitations under the License. --> -Creating the boot password -When you encrypt a database you must also specify a boot password, -which is an alpha-numeric string used to generate the encryption key. +Creating a boot password +When you encrypt a database you usually specify a boot password, +which is an alphanumeric string used to generate the encryption key. (You can +also specify an encryption key directly.)
The length of the encryption key depends on the algorithm used:
@@ -36,14 +37,15 @@ of bytes in the encryption key (56 bits= bytes). The minimum number of characters for the boot password allowed by is eight.
It is a good idea not to use words that would be easily guessed, such as -a login name or simple words or numbers. A bootPassword, like any password, -should be a mix of numbers and upper- and lowercase letters.
+a login name or simple words or numbers. A boot password, like any password, +should be a mix of numbers and uppercase and lowercase letters.

You turn on and configure encryption and specify the corresponding boot password on the connection URL for a database when you create it:
jdbc:derby:encryptionDB1;create=true;dataEncryption=true; - bootPassword=clo760uds2caPe -If you lose the bootPassword and the database is not currently +bootPassword=clo760uds2caPe +If you lose the boot password and the database is not currently booted, you will not be able to connect to the database anymore. (If you know -the current bootPassword, you can change it. See .) +the current boot password, you can change it. See +.) Modified: db/derby/docs/branches/10.6/src/devguide/cdevcsecure88690.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/cdevcsecure88690.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/cdevcsecure88690.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/cdevcsecure88690.dita Mon Oct 8 17:02:52 2012 @@ -20,23 +20,35 @@ limitations under the License. --> Encrypting databases on creation -You configure a database -for encryption when you create the database by specifying the dataEncryption=true attribute -on the connection URL. +You configure a + database for encryption +when you create the database by specifying attributes on the connection URL. encrypting databaseson creation databasesencrypting, on creation -
The Java Runtime Environment (JRE) determines the default encryption provider, -as follows:

-
For J2SE/J2EE 1.4 or higher, the JRE's provider is the default.
-
If your environment for some reason does not include a provider, it must be specified.
+
To enable encryption, use the dataEncryption=true attribute.
+
To provide a key for the encryption, specify either the +bootPassword=key attribute or the encryptionKey=key +attribute.

-
You have the option of specifying an alternate encryption provider. The -default encryption algorithm is DES, but you have the option of specifying -an alternate algorithm as well. See
+
The following connection URL specifies a boot password:
+jdbc:derby:encryptedDB;create=true;dataEncryption=true; +bootPassword=DBpassword +
The following URL specifies an encryption key: +jdbc:derby:encryptedDB;create=true;dataEncryption=true; +encryptionKey=6162636465666768
+
The default encryption algorithm is DES.
+
You can specify an encryption provider and/or encryption algorithm +other than the defaults by using the encryptionProvider=providerName and +encryptionAlgorithm=algorithm attributes. See + and + for more +information.
+
See the for details on the +connection URL attributes.
Modified: db/derby/docs/branches/10.6/src/devguide/cdevcsecure96815.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/cdevcsecure96815.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/cdevcsecure96815.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/cdevcsecure96815.dita Mon Oct 8 17:02:52 2012 @@ -28,11 +28,18 @@ limitations under the License.
supports disk encryption and requires an encryption provider. An encryption provider -implements the Java cryptography concepts. The JRE for J2SE 1.4 and -higher includes Java Cryptographic Extensions (JCE http://java.sun.com/products/jce/index.html) -and one or more default encryption providers. +implements the Java cryptography concepts. The Java Runtime Environment (JRE) +for Java SE includes Java Cryptographic Extensions (JCE, part of the +Java Cryptography Architecture) and one or more default encryption providers. +For more information, see the Java Cryptography Architecture (JCA) Reference Guide.
+
The JRE determines the default encryption provider as follows:
+
+
The JRE's provider is the default.
+
If your environment for some reason does not include a provider, it must be +specified.
+
Modified: db/derby/docs/branches/10.6/src/devguide/cdevdvlp51654.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/cdevdvlp51654.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/cdevdvlp51654.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/cdevdvlp51654.dita Mon Oct 8 17:02:52 2012 @@ -35,6 +35,16 @@ a database server. For more information, along with a connection URL to DriverManager.getConnection when obtaining a connection; see .

All attributes are optional.
+
For more information on working with connection URL attributes, see the +following: +
+
for information +on database encryption
+
for information on tracing +network clients, replicating databases, restoring databases from backup, and +logging on separate devices
+
+

For complete information about the attributes, see "Setting attributes for the database connection URL" in the .
Modified: db/derby/docs/branches/10.6/src/devguide/derbydev.ditamap URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/derbydev.ditamap?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/derbydev.ditamap (original) +++ db/derby/docs/branches/10.6/src/devguide/derbydev.ditamap Mon Oct 8 17:02:52 2012 @@ -292,10 +292,6 @@ limitations under the License. - - - - @@ -308,10 +304,6 @@ limitations under the License. - - - - @@ -328,40 +320,6 @@ limitations under the License. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -1427,7 +1385,7 @@ system"> - + @@ -1790,12 +1748,6 @@ system"> - - - - - - Modified: db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewbootpw.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewbootpw.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewbootpw.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewbootpw.dita Mon Oct 8 17:02:52 2012 @@ -21,8 +21,8 @@ limitations under the License. Encrypting databases with a new boot password You can apply a new boot password to a database -by specifying the newBootPassword attribute on the connection URL when -you boot the database. +by specifying the newBootPassword=newPassword attribute on the connection +URL when you boot the database. encrypting databasesnew boot password databasesencrypting, new boot password @@ -33,23 +33,26 @@ you boot the database.
If the database is configured with log archival for roll-forward recovery, you must disable log archival and perform a shutdown before you can encrypt the database with a new boot password.
-
If there are any global transaction that are in the prepared state after +
If any global transactions are in the prepared state after recovery, the database cannot be encrypted with a new boot password.

If the database is currently encrypted with an external encryption key, -you should use the newEncryptionKey attribute -to encrypt the database.
+use the +newEncryptionKey=key attribute to encrypt the database. -
When you use the newBootPassword attribute, a new encryption -key is generated internally by the engine and the key is protected using the -new boot password. The newly generated encryption key encrypts the database, +
When you use the newBootPassword=newPassword attribute, a new +encryption key is generated internally by the engine, and the key is protected +using the new boot password. The newly generated encryption key encrypts the database, including the existing data. You cannot change the encryption provider or encryption algorithm when you apply a new boot password.
To encrypt a database with a new boot password:
-Specify the newBootPassword attribute in a URL and reboot -the database.For example, when the following URL is used when -the salesdb database is rebooted, the database is encrypted -with the new encryption key, and is protected by the password new1234xyz: jdbc:derby:salesdb;bootPassword=abc1234xyz;newBootPassword=new1234xyzSpecify the newBootPassword=newPassword attribute in a URL and +reboot the database. +For example, if you use the following URL to reboot +the salesdb database, the database is encrypted +with the new encryption key and is protected by the password +new1234xyz: +jdbc:derby:salesdb;bootPassword=abc1234xyz;newBootPassword=new1234xyz
Modified: db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewextkey.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewextkey.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewextkey.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewextkey.dita Mon Oct 8 17:02:52 2012 @@ -21,7 +21,7 @@ limitations under the License. Encrypting databases with a new external encryption key You can apply a new external encryption key to a database -by specifying the newEncryptionKey attribute on the connection URL +by specifying the newEncryptionKey=key attribute on the connection URL when you boot the database. encrypting databasesnew external key @@ -33,19 +33,22 @@ when you boot the database.
If the database is configured with log archival for roll-forward recovery, you must disable log archival and perform a shutdown before you can encrypt the database with a new external encryption key.
-
If there are any global transaction that are in the prepared state after +
If any global transaction are in the prepared state after recovery, the database cannot be encrypted with a new encryption key.
-
If the database is currently encrypted with a boot password , you should -use the newBootPassword attribute -to encrypt the database.
+
If the database is currently encrypted with a boot password, +use the +newBootPassword=newPassword attribute to encrypt the +database.

To encrypt a database with a new external encryption key:
-Specify the newEncryptionKey attribute in a URL and reboot -the database.For example, when the following URL is used when -the salesdb database is rebooted, the database is encrypted -with the new encryption key 6862636465666768:jdbc:derby:salesdb;encryptionKey=6162636465666768;newEncryptionKey=6862636465666768' +Specify the newEncryptionKey=key attribute in a URL and reboot +the database.For example, if you use the following URL to reboot +the salesdb database, the database is encrypted +with the new encryption key 6862636465666768: +jdbc:derby:salesdb;encryptionKey=6162636465666768; +newEncryptionKey=6862636465666768' +
If authentication Modified: db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewkeyoverview.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewkeyoverview.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewkeyoverview.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/tdevcsecurenewkeyoverview.dita Mon Oct 8 17:02:52 2012 @@ -28,10 +28,10 @@ by specifying a new boot password or a n -
Encrypting a database with a new encryption key is a time consuming +
Encrypting a database with a new encryption key is a time-consuming process because it involves encrypting all of the existing data in the database with the new encryption key. If the process is interrupted before completion, -all the changes are rolled back the next time that the database is booted. +all the changes are rolled back the next time the database is booted. If the interruption occurs immediately after the database is encrypted with the new encryption key but before the connection is returned to the application, you might not be able to boot the database with the old encryption key. In @@ -40,7 +40,7 @@ encryption key.
encrypt -the database with a new boot password key, use the newBootPassword attribute. +the database with a new boot password key, use the +newBootPassword=newPassword attribute. To encrypt -the database with a new external encryption key, use the newEncryptionKey attribute. +the database with a new external encryption key, use the +newEncryptionKey=key attribute. If authentication Modified: db/derby/docs/branches/10.6/src/devguide/tdevcsecureunencrypteddb.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.6/src/devguide/tdevcsecureunencrypteddb.dita?rev=1395663&r1=1395662&r2=1395663&view=diff ============================================================================== --- db/derby/docs/branches/10.6/src/devguide/tdevcsecureunencrypteddb.dita (original) +++ db/derby/docs/branches/10.6/src/devguide/tdevcsecureunencrypteddb.dita Mon Oct 8 17:02:52 2012 @@ -32,18 +32,24 @@ The attributes that you specify depend o

If the database is configured with log archival, you must disable log archival and perform a shutdown before you can encrypt the database.
-
If there are any global transaction that are in the prepared state after +
If any global transactions are in the prepared state after recovery, the database cannot be encrypted.

When you encrypt an existing, unencrypted database, you can specify -whether the database should be encrypted using a boot password or an external -encryption key. You can also specify the encryptionProvider attribute -and the encryptionAlgorithm attribute on the connection URL. The database -is configure with the specified encryption attributes and all of the existing -data in the database is encrypted.
Encrypting a database is a time -consuming process because it involves encrypting all of the existing data +whether the database should be encrypted using a boot password +(bootPassword=key) or an external encryption key +(encryptionKey=key). You can also specify the +encryptionProvider=providerName attribute and the +encryptionAlgorithm=algorithm attribute on the connection URL. The +database +is configured with the specified encryption attributes, and all of the existing +data in the database is encrypted.
+
See the for details on the +connection URL attributes.
+
Encrypting a database is a +time-consuming process because it involves encrypting all of the existing data in the database. If the process is interrupted before completion, all the -changes are rolled back the next time that the database is booted. If the +changes are rolled back the next time the database is booted. If the interruption occurs immediately after the database is encrypted but before the connection is returned to the application, you might not be able to boot the database without the boot password or external encryption key. In these @@ -52,13 +58,14 @@ or the external encryption key.
To encrypt an existing unencrypted database:
-Specify the dataEncryption=true attribute and either the encryptionKey attribute -or the bootPassword attribute in a URL and boot the database. +Specify the dataEncryption=true attribute and either the +encryptionKey=key attribute or the bootPassword=key attribute in +a connection URL and boot the database. For example, to encrypt the salesdb database with the boot password abc1234xyz, specify the following attributes in the URL:jdbc:derby:salesdb;dataEncryption=true;bootPassword=abc1234xyz